- 17 Oct 2020
- 1 Minute to read
-
Print
-
DarkLight
-
PDF
HAProxy Configuration
- Updated on 17 Oct 2020
- 1 Minute to read
-
Print
-
DarkLight
-
PDF
It is recommended to run HAProxy with an SSL-termination style of configuration. This will allow the proxy to forward agent connection information to the SecureCircle server nodes.
The SSL certificate and associated private key must be given to HAProxy in one PEM file.
http://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-crt
It designates a PEM file containing both the required certificates and any associated private keys. This file can be built by concatenating multiple PEM files into one (e.g. cat cert.pem key.pem > combined.pem). If your CA requires an intermediate certificate, this can also be concatenated into this file.
It is assumed the SecureCircle server nodes will be listening for HTTPS traffic on port 443 using a self-signed or other certificate.
haproxy.cfg
global
daemon
# Default ciphers to use on SSL-enabled listening sockets.
# For more information, see ciphers(1SSL). This list is from:
# https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
# An alternative list with additional directives can be obtained from
# https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
ssl-default-bind-ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
ssl-default-bind-options no-sslv3
defaults
mode http
timeout connect 5000
timeout client 50000
timeout server 50000
frontend http-in
# The balancer will listen to port 80 and redirect to HTTPS
bind *:80
redirect scheme https if !{ ssl_fc }
# The balancer will terminate SSL traffic on port 443 using the specified PEM keychain
bind *:443 ssl crt /path/to/your/keychain.pem
# Traffic will be redirected to the nodes backend
default_backend nodes
backend nodes
# Inject headers so the nodes know agent information
option forwardfor
http-request add-header X-Consumer-IP %[src]
# Balance connections across servers using a round-robin approach
balance roundrobin
# Ensure nodes are healthy before routing traffic to them
option httpchk GET /web/login.html
# Servers that will be routed to
# It's recommended to replace "ssl verify none" with:
# ssl verify required ca-file /path/to/server-ca
# ca-file will either be the server's self signed cert or CA cert(s)
server SC01 172.17.0.2:443 check ssl verify none
server SC02 172.17.0.3:443 check ssl verify none
server SC03 172.17.0.4:443 check ssl verify none